![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / sys / net / npf
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: MAIN
Revision 1.26 / (download) - annotate - [select for diffs], Sat Feb 9 03:35:31 2013 UTC (3 months, 1 week ago) by rmind
Branch: MAIN
CVS Tags: tls-maxphys-nbase,
tls-maxphys-base,
khorben-n900,
agc-symver-base,
agc-symver,
HEAD
Changes since 1.25: +26 -21
lines
Diff to previous 1.25 (colored)
NPF: - Implement dynamic NPF rules. Controlled through npf(3) library of via npfctl rule command. A rule can be removed using a unique identifier, returned on addition, or using a key which is SHA1 hash of the rule. Adjust npftest and add a regression test. - Improvements to rule inspection mechanism. - Initial BPF support as an alternative to n-code. - Minor fixes; bump the version.
Revision 1.25 / (download) - annotate - [select for diffs], Sun Jan 20 18:45:56 2013 UTC (4 months ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base8
Changes since 1.24: +6 -3
lines
Diff to previous 1.24 (colored)
- nbuf_ensure_contig: rework to use m_ensure_contig(9), which will not free the mbuf chain on failure. Fixes some corner cases. Improve regression test and sprinkle some asserts. - npf_reassembly: clear nbuf on IPv6 reassembly failure path (partial fix). The problem was found and fix provided by Anthony Mallet.
Revision 1.24 / (download) - annotate - [select for diffs], Mon Dec 24 19:05:43 2012 UTC (4 months, 4 weeks ago) by rmind
Branch: MAIN
Changes since 1.23: +69 -43
lines
Diff to previous 1.23 (colored)
- Rework NPF's nbuf interface: use advancing and ensuring as a main method. Eliminate unnecessary copy and simplify. Adapt regression tests. - Simplify ICMP ALG a little. While here, handle ICMP ECHO for traceroute. - Minor fixes, misc cleanup.
Revision 1.23 / (download) - annotate - [select for diffs], Sat Oct 6 23:38:20 2012 UTC (7 months, 2 weeks ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base7,
yamt-pagecache-base6
Changes since 1.22: +6 -4
lines
Diff to previous 1.22 (colored)
npf_packet_handler: drop the packet if IPv6 reassembly did not work.
Revision 1.22 / (download) - annotate - [select for diffs], Sun Sep 16 13:47:41 2012 UTC (8 months ago) by rmind
Branch: MAIN
Changes since 1.21: +5 -4
lines
Diff to previous 1.21 (colored)
Implement dynamic NPF extensions interface. An extension consists of dynamically loaded module (.so) supplementing npfctl(8) and a kernel module. Move normalisation and logging functionality into their own extensions. More improvements to come.
Revision 1.21 / (download) - annotate - [select for diffs], Sun Aug 12 03:35:14 2012 UTC (9 months, 1 week ago) by rmind
Branch: MAIN
Branch point for: tls-maxphys
Changes since 1.20: +4 -4
lines
Diff to previous 1.20 (colored)
- Extend npftest: add ruleset inspection testing from the config generated by npfctl debug functionality. Auto-create npftest interfaces for this. - NPF sessions: combine protocol and interface into a separate substructure, share between the entries and thus fix the handling of them. Constify. - npftest: add regression tests for NAT policies. - npf_build_nat: simplify and fix bi-NAT regression. - Bump yacc stack size for npfctl.
Revision 1.20 / (download) - annotate - [select for diffs], Sun Jul 15 00:23:00 2012 UTC (10 months, 1 week ago) by rmind
Branch: MAIN
Changes since 1.19: +6 -5
lines
Diff to previous 1.19 (colored)
- Rework NPF tables and fix support for IPv6. Implement tree table type using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3) was contributed by Matt Thomas. - NPF tables: update regression tests, improve npfctl(8) error messages. - Fix few bugs when using kernel modules and handle module autounloader. - Few other fixes and misc cleanups. - Bump the version.
Revision 1.19 / (download) - annotate - [select for diffs], Mon Jul 2 06:55:58 2012 UTC (10 months, 3 weeks ago) by rmind
Branch: MAIN
Changes since 1.18: +3 -3
lines
Diff to previous 1.18 (colored)
npf_packet_handler: fix gcc unused warning.
Revision 1.18 / (download) - annotate - [select for diffs], Sun Jul 1 23:21:06 2012 UTC (10 months, 3 weeks ago) by rmind
Branch: MAIN
Changes since 1.17: +14 -13
lines
Diff to previous 1.17 (colored)
NPF improvements: - Add NPF_OPCODE_PROTO to match the address and/or protocol only. - Update parser to support arbitrary "pass proto <name/number>". - Fix IPv6 address and protocol handling (add a regression test). - Fix few theorethical races in session handling module. - Misc fixes, simplifications and some clean up.
Revision 1.17 / (download) - annotate - [select for diffs], Wed May 30 21:38:03 2012 UTC (11 months, 3 weeks ago) by rmind
Branch: MAIN
CVS Tags: jmcneill-usbmp-base10
Changes since 1.16: +2 -4
lines
Diff to previous 1.16 (colored)
npftest: add a stream processor, which prints out the TCP state information. A tool for debugging connection tracking from tcpdump -w captured data.
Revision 1.16 / (download) - annotate - [select for diffs], Sun May 6 02:45:25 2012 UTC (12 months, 2 weeks ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base5
Changes since 1.15: +30 -20
lines
Diff to previous 1.15 (colored)
- Fix double-free case on ICMP return case. - npf_pfil_register: handle kernels without INET6 option correctly. - Reduce some #ifdefs.
Revision 1.15 / (download) - annotate - [select for diffs], Sun Mar 11 18:27:59 2012 UTC (14 months, 1 week ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base4,
jmcneill-usbmp-base9,
jmcneill-usbmp-base8
Changes since 1.14: +12 -6
lines
Diff to previous 1.14 (colored)
- Save active config in proplib dictionary; add GETCONF ioctl to retrieve. - Few fixes. Improve some comments.
Revision 1.14 / (download) - annotate - [select for diffs], Mon Feb 20 00:18:19 2012 UTC (15 months ago) by rmind
Branch: MAIN
CVS Tags: jmcneill-usbmp-base7,
jmcneill-usbmp-base6,
jmcneill-usbmp-base5,
jmcneill-usbmp-base4,
jmcneill-usbmp-base3
Changes since 1.13: +34 -30
lines
Diff to previous 1.13 (colored)
- Add NPF_DECISION_BLOCK and NPF_DECISION_PASS. Be more defensive in the
packet handler. Change the default policy to block when the config is
loaded and set it to pass when flush operation is performed.
- Use kmem_zalloc(9) instead of kmem_alloc(9) in few places.
- npf_rproc_{create,release}: use kmem_intr_{alloc,free} as the destruction
of rule procedure might happen in the interrupt handler (under a very rare
condition, if config reload races with the handler).
- npf_session_establish: check whether layer 3 and 4 are cached.
- npfctl_build_group: do not make groups as passing rules.
- Remove some unecessary header inclusion.
Revision 1.13 / (download) - annotate - [select for diffs], Mon Feb 6 23:30:14 2012 UTC (15 months, 2 weeks ago) by rmind
Branch: MAIN
CVS Tags: netbsd-6-base,
jmcneill-usbmp-base2
Branch point for: netbsd-6
Changes since 1.12: +36 -26
lines
Diff to previous 1.12 (colored)
- Split NPF rule procedure code into a separate module (no functional changes). - Simplify some code, add more comments, some asserts. - G/C unused rule hook code.
Revision 1.12 / (download) - annotate - [select for diffs], Sun Jan 15 00:49:48 2012 UTC (16 months, 1 week ago) by rmind
Branch: MAIN
Changes since 1.11: +3 -2
lines
Diff to previous 1.11 (colored)
- Expire all sessions on flush.
- Enable checking for zero mask in IP{4,6}MATCH after npfctl changes.
- Make locking symmetric for npf_ruleset_inspect().
- Sync function prototypes in npf(3) man page with reality.
- Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
Revision 1.11 / (download) - annotate - [select for diffs], Tue Nov 29 20:05:30 2011 UTC (17 months, 3 weeks ago) by rmind
Branch: MAIN
CVS Tags: jmcneill-usbmp-pre-base2,
jmcneill-usbmp-base
Branch point for: jmcneill-usbmp
Changes since 1.10: +9 -9
lines
Diff to previous 1.10 (colored)
- Rework and improve TCP state tracking. - Fix regressions after IPv6 patch merge. Note: npfctl(8) rework will come soon.
Revision 1.10 / (download) - annotate - [select for diffs], Sun Nov 6 02:49:03 2011 UTC (18 months, 2 weeks ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base3,
yamt-pagecache-base2,
jmcneill-audiomp3-base,
jmcneill-audiomp3
Changes since 1.9: +13 -14
lines
Diff to previous 1.9 (colored)
Few fixes, KNF/style, bump the NPF version.
Revision 1.9 / (download) - annotate - [select for diffs], Sat Nov 5 10:23:26 2011 UTC (18 months, 2 weeks ago) by zoltan
Branch: MAIN
Changes since 1.8: +7 -4
lines
Diff to previous 1.8 (colored)
When building the kernel without IPv6 support, compilation failed. Fix that.
Revision 1.8 / (download) - annotate - [select for diffs], Fri Nov 4 01:00:27 2011 UTC (18 months, 2 weeks ago) by zoltan
Branch: MAIN
Changes since 1.7: +39 -10
lines
Diff to previous 1.7 (colored)
Add IPv6 support for NPF.
Revision 1.7 / (download) - annotate - [select for diffs], Wed Feb 2 02:20:25 2011 UTC (2 years, 3 months ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base,
rmind-uvmplock-nbase,
rmind-uvmplock-base,
cherry-xenmp-base,
cherry-xenmp,
bouyer-quota2-nbase,
bouyer-quota2-base
Branch point for: yamt-pagecache,
rmind-uvmplock
Changes since 1.6: +8 -5
lines
Diff to previous 1.6 (colored)
NPF checkpoint: - Add libnpf(3) - a library to control NPF (configuration, ruleset, etc). - Add NPF support for ftp-proxy(8). - Add rc.d script for NPF. - Convert npfctl(8) to use libnpf(3) and thus make it less depressive. Note: next clean-up step should be a parser, once dholland@ will finish it. - Add more documentation. - Various fixes.
Revision 1.6 / (download) - annotate - [select for diffs], Tue Jan 18 20:33:45 2011 UTC (2 years, 4 months ago) by rmind
Branch: MAIN
Branch point for: bouyer-quota2
Changes since 1.5: +27 -21
lines
Diff to previous 1.5 (colored)
NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
potentially other functions from the rule structure. Rule procedure can be
shared amongst the rules. Separation is both at kernel level (npf_rproc_t)
and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic. Use TCP FSM definitions.
- Add if_byindex(), OK by matt@. Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.
Revision 1.5 / (download) - annotate - [select for diffs], Sat Dec 18 01:07:25 2010 UTC (2 years, 5 months ago) by rmind
Branch: MAIN
CVS Tags: matt-mips64-premerge-20101231,
jruoho-x86intr-base
Branch point for: jruoho-x86intr
Changes since 1.4: +25 -8
lines
Diff to previous 1.4 (colored)
NPF checkpoint: - Add support for session saving/restoring. - Add packet logging support (can tcpdump a pseudo-interface). - Support reload without flushing of sessions; rework some locking. - Revisit session mangement, replace linking with npf_sentry_t entries. - Add some counters for statistics, using percpu(9). - Add IP_DF flag cleansing. - Fix various bugs; misc clean-up.
Revision 1.4 / (download) - annotate - [select for diffs], Thu Nov 11 06:30:39 2010 UTC (2 years, 6 months ago) by rmind
Branch: MAIN
Changes since 1.3: +29 -5
lines
Diff to previous 1.3 (colored)
NPF checkpoint: - Add proper TCP state tracking as described in Guido van Rooij paper, plus handle TCP Window Scaling option. - Completely rework npf_cache_t, reduce granularity, simplify code. - Add npf_addr_t as an abstraction, amend session handling code, as well as NAT code et al, to use it. Now design is prepared for IPv6 support. - Handle IPv4 fragments i.e. perform packet reassembly. - Add support for IPv4 ID randomization and minimum TTL enforcement. - Add support for TCP MSS "clamping". - Random bits for IPv6. Various fixes and clean-up.
Revision 1.3 / (download) - annotate - [select for diffs], Sun Oct 10 15:29:01 2010 UTC (2 years, 7 months ago) by rmind
Branch: MAIN
CVS Tags: uebayasi-xip-base4,
uebayasi-xip-base3
Branch point for: uebayasi-xip
Changes since 1.2: +8 -4
lines
Diff to previous 1.2 (colored)
npf_packet_handler: clear M_CANFASTFWD flag, so inspection would work when fast forwarding is enabled (e.g. with GATEWAY kernel option). Thanks matt@ for the tip.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Sep 16 04:53:27 2010 UTC (2 years, 8 months ago) by rmind
Branch: MAIN
CVS Tags: yamt-nfs-mp-base11
Branch point for: yamt-nfs-mp
Changes since 1.1: +50 -33
lines
Diff to previous 1.1 (colored)
NPF checkpoint: - Add support for bi-directional NAT and redirection / port forwarding. - Finish filtering on ICMP type/code and add filtering on TCP flags. - Add support for TCP reset (RST) or ICMP destination unreachable on block. - Fix a bunch of bugs; misc cleanup.
Revision 1.1 / (download) - annotate - [select for diffs], Sun Aug 22 18:56:22 2010 UTC (2 years, 9 months ago) by rmind
Branch: MAIN
Import NPF - a packet filter. Some features: - Designed to be fully MP-safe and highly efficient. - Tables/IP sets (hash or red-black tree) for high performance lookups. - Stateful filtering and Network Address Port Translation (NAPT). Framework for application level gateways (ALGs). - Packet inspection engine called n-code processor - inspired by BPF - supporting generic RISC-like and specific CISC-like instructions for common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual. - Convenient userland utility npfctl(8) with npf.conf(8). NOTE: This is not yet a fully capable alternative to PF or IPFilter. Further work (support for binat/rdr, return-rst/return-icmp, common ALGs, state saving/restoring, logging, etc) is in progress. Thanks a lot to Matt Thomas for various useful comments and code review. Aye by: board@